These days it's not uncommon for consumers to see commercials during prime time warning them about the dangers of identity theft or to receive a stack of legalese-laden privacy notices in the mail from their service providers. Data security and privacy have obviously become top concerns for consumers -- and for the U.S. and international regulators who've created a patchwork of new data laws with the advent of the Internet. At the same time, many consumers expect technology to enable better service, such as having their accounts accessible 24/7, or having their problems solved rapidly when they dial a customer call center. The question for CIOs is how to create a satisfying customer experience while complying with regulations to ratchet up overall data security.

"Companies find themselves in a growing regulatory environment," says Marcus Blosch, vice president at Gartner Executive Programs. "To take compliance seriously, and to adopt policies and mechanisms that are needed to implement compliance efforts smoothly, you need a change management process in place. The answer is being proactive rather than reactive to legislation."

Dealing with regulatory realities means CIOs have to work closely with the CFO and CEO to avoid fines and, in some cases, be personally responsible for privacy breaches or violations. Maintaining business continuity while taking steps to comply with regulations also means CIOs need to focus less on meeting the minimum requirements of compliance and more on establishing strong corporate governance strategies to actually improve the customer experience.

"Compliance is the wrong approach," says Everett Johnson, international president of the IT Governance Institute (ITGI). "The companies that are getting payback -- such as higher customer satisfaction -- look at it as a risk management process because they don't want to lose customers or customer trust."

In other words, CIOs can help turn data security compliance efforts into a competitive advantage when it comes to customer service versus a business disruption.

Know the landscape

Of the numerous data protection laws an organization might have to contend with, not all directly impact the customer experience, but many do, including:

Health Insurance Portability Accountability Act (HIPAA) Under this law, health care providers and insurance companies have to establish strong safeguards to protect the privacy and integrity of patients' records, and to inform patients of how their data will be handled. "Some of these requirements can feel like they work against the consumer, such as when your doctor can't easily share your records to improve your treatment or when your doctor can't share information with you over the phone," says Larry Ponemon, founder of the Ponemon Institute, which surveys Fortune 500 companies about ethical information and privacy management practices. "The regulations were intended to protect patients' rights, but can create a burden for the physician and patient."

California laws This bellwether state is passing a wave of laws that dictate how companies can collect, store, and share personal data, thus changing how organizations will provide customer service and maintain consumers' trust, for example. Senate Bill (SB) 27 requires businesses to inform customers of any third parties that have had access to their data. Then there's SB 168, which prohibits businesses from using California residents' Social Security numbers as unique consumer IDs. To comply with SB 1, which is being challenged in federal court, financial services companies would have to get customers' consent to share their data with third parties. And SB 1386 states that any company or individual who has customers in the state, or conducts any business in California, must notify consumers if their electronic records are stolen, lost, or otherwise compromised. A similar bill has now been introduced in Congress.

Safeguarding Americans from Exporting Identification Data (SAFE ID) Act Companies claim they outsource data processing overseas to save consumers' money down the line, but customers might not feel secure if they don't know how their most personal information is being handled when it leaves U.S. borders. Introduced by Sen. Hillary Rodham Clinton (D-New York) in April, the SAFE ID act would regulate how U.S. organizations send accounting and medical information overseas for processing, including giving consumers the chance to opt-out of having their personal information exported to affiliates and subsidiaries without penalty.

Gramm-Leach-Bliley Act This law is aimed at making it easier for financial services companies to merge. In the process, it establishes stricter guidelines for protecting the privacy of customers' information, advises consumers of their privacy policies, and allows them to opt-out of sharing certain personal financial information.

Sarbanes-Oxley (SOX) Act The law holds senior executives of publicly traded companies accountable for maintaining and securing financial statements for up to seven years. Complying with Section 404 of the law alone can cost a company $3.4 million on average, according to a survey of billion-dollar public companies released last month by Financial Executives International. SOX applies to the maintenance of records, however, a daunting task that requires many companies to overhaul their entire data collection, permissions, and storage protocols. Though it's not as likely as with other regulations, this entire change process could possibly trickle down to customers if IT gets bogged down with compliance efforts, says Moira Berman, who's been a management consultant for "Big 4" accounting firms and currently specializes in assisting public companies with Sarbanes Oxley compliance initiatives. "IT resources focused on Sarbanes-Oxley compliance activities can take time way from business-related IT activities," she says.

European Union data protection laws The EU has strict laws to protect personal privacy, and companies that do business within the region must comply. Compliance requires balancing security and customer convenience, says Phebe Waterfield, senior analyst for the Yankee Group. "The spirit of these laws is to foster responsibility and accountability to shareholders and customers," she says. "There is a trade-off, though. Like if you lose your password for online banking and can't verify your identity over the phone -- such as knowing your last transaction or balance -- you'll have to get a new password by snail mail. There is an inconvenience for the consumer but most will accept it as they don't want their identity hijacked."

Developing an effective governance strategy

Once you know how laws might impact your customers' experience, the next step is rolling out a corporate governance strategy to protect customers' data, improve service, and adequately secure and store records.

Focus on corporate governance The ITGI's Johnson says the first step in any compliance effort is to assess current systems and data collection practices to mitigate risk and limit customer disruptions. The ITGI has created a framework dubbed COBIT (Control Objectives for Information and related Technology) to guide organizations in deploying a strong baseline security process. COBIT outlines 39 steps CIOs can follow, from defining and organizing a security strategy to monitoring processes.

Put controls in place Many organizations use automated solutions, from voice recognition software in call centers to help verify customers' identities, to scheduled backup and recovery for records and access logs, to tracking when records or processes are modified. Implementing enabling technologies, such as automated security and storage tools and processes, requires integrating security into day-to-day procedures and educating employees about the importance of following these procedures. Based on COBIT, the next phases focus on delivering and supporting security systems and implementing rules to control access to services and data. For instance, you can deploy digital certificates and public-key encryption to tighten security and authentication for online users. Once customers are authenticated, it's important to make it convenient for them to change their preferences or complete transactions via phone or online.

Respond with some restraint Experts agree that to maintain business continuity, the key is to not go overboard when it comes to compliance. "Don't do any extra that might have an unexpected impact or take up critical resources," Berman says. And Gartner's Blosch adds that you don't want to become too bureaucratic at the expense of nimbleness. "You want to simplify and consolidate systems. In fact, many CIOs use regulations such as Sarbanes Oxley to push through the consolidation that they already needed to get done," he says. "In the end they are in a better position to be compliant -- fewer systems to audit and they're more agile to serve customers. You need to keep data safe, but you also need to know where you can afford not to have too many controls in place in order to make sure you still have flexibility to innovate."

Build trust to build your business CIOs also need to step up to the plate when it comes to understanding how customers want their data to be used, and not only enforce privacy protection measures but respond when and if there is a breach, says Ponemon. Also, it's important to make data accuracy part of any corporate governance plan to limit annoyances for customers and mistakes. "It's not just about complying with the law, it's about respecting the consumer. Security should be a way of engendering trust to lower customer churn rates and drive revenue," he says. "Even a negative event can be turned around to show the consumer that you care about them, such as taking the time to send an honest letter about what happened." Johnson agrees that CIOs who are most successful dealing with privacy regulations share the philosophy that the information "belongs to the customer. The company only has temporary custody of that data, and they have an obligation to protect it."

Courtney Macavinta is a Silicon Valley-based business and technology writer. Her articles have appeared in CNET News#IF($EnableExternalLinks).c#COMMENT#ENDCOMMENTom#ENDIF, Business 2.0, Red Herring, and The Washington Post.